Merge branch 'atp-FEB' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-FEB

windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md

@@ -33,10 +33,9 @@ There are two status indicators on the tile that provide information on the numb
 
 Clicking any of the groups directs you to Machines view, filtered according to your choice.
 
-You can filter the health state list by the following status:
-
 ![Windows Defender ATP sensor filter](images/atp-sensor-filter.png)
 
+You can filter the health state list by the following status:
 - **Active** - Machines that are actively reporting to the Windows Defender ATP service.
 - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
 - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:

windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -52,7 +52,7 @@ For this URL:
 -	`[query_parameters]` represents additional query parameters such as $filter and $select.
 
 **Quotas**</br>
-Each tenant has a defined quota that limits the number of possible Alert definitions and IOCs in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
+Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
 
 ## Custom TI API metadata
 The metadata document ($metadata) is published at the service root.
@@ -70,9 +70,8 @@ You can use the metadata to understand the relationships between entities in cus
 The following sections show a few basic programming pattern calls to the custom TI API.
 
 ## Create new resource
-Typically, you should create an alert definition to start creating custom threat intelligence.
-
-An ID is created for that alert definition. Then, create an Indicator Of Compromise and associate it to the ID of the alert definition.
+Typically, you'd need to create an alert definition to start creating custom threat intelligence. An ID is created for that alert definition.
+You can then proceed to create an indicator of compromise and associate it to the ID of the alert definition.
 
 ### Create a new alert definition
 
@@ -85,11 +84,11 @@ Content-Type: application/json;
 {
   "Name": " The name of the IOA. Does not appear in the portal. Max length: 100 ",
   "Severity": "Low",
-  "InternalDescription": "Internal description for the IOA. Does not appear in the portal. Max length: 350",
-  "Title": "A short, one sentence, description of the IoA. Max length: 120",
+  "InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max length: 350",
+  "Title": "A short, one sentence, description of the  alert definition. Max length: 120",
   "UxDescription": " Max length: 500",
   "RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000 ",
-  "Category": "Trojan",
+  "Category": "Category from the metadata",
   "Enabled": true
 }
 ```
@@ -97,7 +96,7 @@ Content-Type: application/json;
 The following values correspond to the alert sections surfaced on the Windows Defender ATP portal:
 ![Image of alert from the portal](images/atp-custom-ti-mapping.png)
 
-Highlighted section | JSON Value
+Highlighted section | JSON key name
 :---:|:---
 1 | Title
 2 | Severity
@@ -125,13 +124,12 @@ If successful, you should get a 201 CREATED response containing the representati
 
 ```
 
-### Create a new Indicator of Compromise
+### Create a new indicator of compromise
 
 ```json
 POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
 Authorization: Bearer <access_token>
 Content-Type: application/json;
-Content-Length: 194
 
 
 {
@@ -139,20 +137,21 @@ Content-Length: 194
 "Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
 "DetectionFunction": "Equals",
 "Enabled": true,
-"AlertDefinitions@odata.bind": "AlertDefinitions(1)"
+"AlertDefinition@odata.bind": "AlertDefinitions(1)"
 }
 ```
-If successful, you should get a 201 CREATED response containing the representation of the newly created Indicators Of Compromise in the payload.
+If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
 
 
 ## Bulk upload of alert definitions and IOCs
 Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`. </br>
 
 >[!WARNING]
->- This operation is atomic. The entire can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
->- If your upload exceeds the IOC quota, the entire operation will fail. Consider limiting your uploads.
+>- This operation is atomic. The entire operation can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
+>- If your upload exceeds the IOCs or alert definitions quota, the entire operation will fail. Consider limiting your uploads.
 
-The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertdefinitions` and in the case of IOC is `IOCs`. This field’s value should contain a list of the desired entities.
+
+The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertDefinitions` and in the case of IOC is `iocs`. This field’s value should contain a list of the desired entities.
 
 For example:
 Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
@@ -161,19 +160,19 @@ JSON Body:
 
 ```json
 {
-    "IOCs": [{
+    "iocs": [{
             "Type": "Sha1",
             "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
             "DetectionFunction": "Equals",
             "Enabled": true,
-            "IndicationOfAttack@odata.bind": "AlertDefinitions(1)"
+            "AlertDefinition@odata.bind": "AlertDefinitions(1)"
         },
         {
             "Type": "Sha1",
             "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
             "DetectionFunction": "Equals",
             "Enabled": true,
-            "IndicationOfAttack@odata.bind": "AlertDefinitions(1)"
+            "AlertDefinition@odata.bind": "AlertDefinitions(1)"
         }
     ]
 }
@@ -191,7 +190,7 @@ Authorization: Bearer <access_token>
 Accept: application/json;odata.metadata=none
 ```
 
-If successful, you should get a 200 OK response containing a single Indications Of Compromise representation (per the specified Id) in the payload, as shown as follows:
+If successful, you should get a 200 OK response containing a single indicator of compromise representation (per the specified ID) in the payload, as shown as follows:
 
 ```json
 HTTP/1.1 200 OK
@@ -223,7 +222,7 @@ odata.metadata = none
   Authorization: Bearer <access_token>
   ```
 
-  If successful, you should get a 200 OK response containing the collection of Indications Of Attack representation in the payload, as shown as follows:
+  If successful, you should get a 200 OK response containing the collection of alert definitions representation in the payload, as shown as follows:
 
   ```json
   HTTP/1.1 200 OK
@@ -236,13 +235,13 @@ odata.metadata = none
               "Name": "Demo alert definition",
               "Severity": "Medium",
               "InternalDescription": "Some description",
-              "Title": "Demo short Ux Desc",
-              "UxDescription": "Demo ux desc",
+              "Title": "Demo short ux description",
+              "UxDescription": "Demo ux description",
               "RecommendedAction": "Actions",
               "Category": "Malware",
               "Id": 1,
               "CreatedAt": "2016-12-05T15:50:53Z",
-              "CreatedBy": "user@Company1.constoso.com",
+              "CreatedBy": "user@Company1.contoso.com",
               "LastModifiedAt": null,
               "LastModifiedBy": null,
               "Enabled": true
@@ -251,8 +250,8 @@ odata.metadata = none
               "Name": "Demo alert definition 2",
               "Severity": "Low",
               "InternalDescription": "Some description",
-              "Title": "Demo short UX Desc2",
-              "UxDescription": "Demo UX Desc2",
+              "Title": "Demo short ux description2",
+              "UxDescription": "Demo ux description2",
               "RecommendedAction": null,
               "Category": "Malware",
               "Id": 2,
@@ -282,12 +281,12 @@ Accept: application/json;odata.metadata=none
 }
 ```
 
-If successful, you should get a 200 OK response containing the updated Indications Of Attack representation (per the specified Id) in the payload.
+If successful, you should get a 200 OK response containing the updated alert definition representation (per the specified ID) in the payload.
 
-## Update the association (relation) between an Indication Of Compromise to a different Indication Of Attack
+## Update the association (relation) between an indicator of compromise to a different alert definition
 
 ```json
-PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/IndicationOfAttack/$ref HTTP/1.1
+PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/AlertDefinition/$ref HTTP/1.1
 Authorization : Bearer <access_token>
 Content-Type: application/json;
 
@@ -323,7 +322,7 @@ This action will delete all the IOCs associated with a given alert definition wi
 
 For example, deleting all of the IOCs associated with the alert definition with ID `1` deletes all those IOCs without deleting the alert definition itself.
 
-Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfAttack(1)/Actions.DeleteIOCs`.
+Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/AlertDefinitions(1)/Actions.DeleteIOCs`.
 
 Upon a successful request the response will be HTTP 204.
 

windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md

@@ -29,15 +29,14 @@ Machines that are categorized as misconfigured or inactive can have varying caus
 
 An inactive machine is not necessarily due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
 
-**Machine was reinstalled or renamed**</br>
-A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain in the portal with a status ‘Inactive’. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
-
-
 **Machine is not in use**</br>
 If the machine has not been in use for more than 7 days for any reason, it will remain in the portal in status ‘Inactive’
 
+**Machine was reinstalled or renamed**</br>
+A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain in the portal with a status ‘Inactive’. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
+
 **Machine was offboarded**</br>
-If the machine was offboarded it will still appear in machines view. After 7 days, the machine health status should change to inactive.
+If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
 
 Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
 
@@ -57,7 +56,7 @@ The following suggested actions can help fix issues related to a misconfigured m
 - Verify client connectivity to Windows Defender ATP service URLs</br>
   Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
-If you took corrective actions and the machine status is still misconfigured, [open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
 
 ### No sensor data
 A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
@@ -75,4 +74,4 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi
 - [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
 If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
 
-If you took corrective actions and the machine status is still misconfigured, [open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).

windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md

@@ -33,13 +33,23 @@ You can get information from the following sections in the file view:
 -	Most recent observed machines with file
 
 
-The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file and details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide.
+The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file and details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#deep-analysis).
+
+![Image of file information](images/atp-file-information.png)
 
 The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
 
+![Image of alerts related to the file section](images/atp-alerts-related-to-file.png)
+
 The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
 
-The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file. This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+![Image of file in organization](images/atp-file-in-org.png)
+
+The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
+
+![Image of most recent observed machine with the file](images/atp-observed-machines.png)
+
+This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
 
 ## Stop and quarantine files in your network
 You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.